Today, with faster internet speeds, the XML-RPC function has become redundant to most users. It still exists because the WordPress app and some plugins like JetPack utilize this feature.
If you don’t use any of these plugins, mobile apps, or remote connections, it’s best to disable it. Why? Every additional element on your site gives hacks one more opportunity to try to break into your site. Disabling the feature makes your site more secure.
In this article, we’ll show you why and how to disable XML-RPC.
What Is XML-RPC?
XML-RPC is a feature of WordPress. It enables a remote device like the WordPress application on your smartphone to send data to your WordPress website. If you want to publish an article on your WordPress website via the WordPress application, XML-RPC is what enables you to do that.
If you look at the phrase XML-RPC, it has two parts. RPC is a Remote Procedure Call which means you can remotely call for actions to be performed. And here, XML (Extensible Markup Language) is used to encode the data that needs to be sent.
Do You Need XML-RPC?
To decide if you need XMLRPC, you have to first understand what functions does the XMLRPC serves on your WordPress website. The file serves three primary functions:
- WordPress App – If you use the WordPress app on your mobile device to post to your site, you need XML-RPC. The app uses this function to communicate to your WordPress website by making a remote connection.
- Trackbacks and pingbacks – When you publish content, if you have provided a link to another blog or a website, this feature will alert the other website that you’ve linked to them. Trackbacks are created manually while pingbacks are automated. If you use these options, you need access to the XML-RPC.php file to be enabled.
- JetPack plugin – JetPack is a popular plugin that is used by over 5 million WordPress sites. It offers services related to security, performance and site management. It uses XML-RPC to communicate with WordPress.com. If you’re a subscriber of JetPack, you need XML-RPC enabled.
Is XML-RPC Dangerous?
The straightforward answer is no. But we can’t stop there. Let’s take a step back.
Initially, a manual WordPress installation had XML-RPC disabled by default. To enable it, you had to go to Settings > Writing > Remote Publishing. However, from version 3.5 onwards, WordPress has it enabled by default and the option to enable or disable it was removed.
In September 2015, a vulnerability appeared in the XML-RPC function. WordPress released a patch immediately in version 4.4.1. But millions of websites are still running on outdated versions which put them at potential risk of being hacked.
XML-RPC is safe, so long as you’ve installed WordPress version 4.4.1 or higher.
75% of WordPress sites are running on outdated versions! Update your website to avoid the risk of being hacked. Click To Tweet
Then why do we recommend disabling it?
Hackers try to find any element on your website that has a weakness. They exploit it and break into your site. With XML-RPC, there are two weaknesses that could possibly be exploited by hackers:
- When you want to publish content from a remote device, an XML-RPC request is created. These requests are authenticated with a simple username and password. This is a basic security check. If a hacker manages to get their hands on these credentials, they could use it to send their own requests. In this way, they gain access to your site.
- XML-RPC is designed for users to publish content in large volumes. This enables brute force attacks wherein hackers use bots to try to guess your username and password. Through the XML-RPC function, they can make login attempts by sending large amounts to guess your credentials.
Lastly, if a hacker has already gained access to your site, they can misuse the XML-RPC pingback function to carry out DDoS attacks. In such an attack, hackers bring down websites (usually ones of big brands or governments) by sending pingbacks from thousands of sites. This sudden surge in data being received overloads the target’s web server and can possibly crash the site.
In the previous section, we mentioned why you need XMLRPC. But if you are not using the WordPress mobile app nor the JetPack plugin and if you don’t find trackbacks and pingbacks useful then it’s best to disable the xmlrpc.php files.
By disabling it, you will ensure that the feature/function cannot be used to hack your WordPress website.
How to disable XML-RPC in WordPress
You can block the XML-RPC feature on your WordPress website manually or you could use a plugin. We recommend using a plugin because it’s faster, simpler and doesn’t carry any risk. The manual method involves making changes to your WordPress files which is always risky business. That said, we’ll show you both the methods.
Disable XML-RPC using a plugin
To block WordPress xmlrpc.php requests, there is a plugin called ‘Disable XML-RPC’ that you can use. It’s simple and straightforward. Here’s how you can set it up on your site:
1. Login to your wp-admin dashboard.
2. On the left-hand menu, choose ‘Plugins’.
3. Here, click on ‘Add New”.
4. Here, search for the ‘Disable XML-RPC’ plugin. The plugin is compatible with any WordPress site running on version 3.5 and above.
5. Install and activate the plugin. It will automatically disable WordPress xmlrpc.php in once you activate the plugin.
6. If you ever want to enable XMLRPC, then just deactivate the plugin.
Disable XML-RPC Manually
As we mentioned earlier, the manual method is risky, hence you need to take a few precautions before you disable XMLRPC on your WordPress site.
- Take a full backup of your WordPress site. In the manual method, we will be Altering WordPress files which carries high risk. Small mistakes can end up breaking your website. If things go wrong, you can always restore your backup.
- We recommend using a staging WordPress site to disable XML-RPC manually. Here, you can make changes to the staging site without affecting your live site. Once you’re sure it works fine, you can simply push the change to your live site. Staging sites are easy to create with the BlogVault plugin. Alternatively, your host may provide you with this option.
With these precautions handled, we can begin with the manual method of disabling XML-RPC on your WordPress site:
1. Login to your WordPress hosting platform account and go to ‘cPanel’. Here, you will see ‘File Manager’.
2. Once inside the file manager, you’ll see a list of folders. Your website’s folders should be under the folder named ‘public_html’. It will have three main folders – wp-admin, wp-content, and wp-includes.
3. Find the ‘htaccess’ file here. And if you don’t, you can use the search bar on the top-right of the screen to look for it.
If your website has a .htaccess file but you can’t see it, visit settings and click on ‘show hidden files.’
If your website doesn’t have an htaccess file, you can create one. Use the ‘+File’ option on the top-left corner of the screen.
4. Open the .htaccess file by right-clicking and choosing ‘Edit’.
5. Paste the following code that disables XML-RPC to this file:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from xxx.xxx.xxx.xxx </Files>
If you would like to retain XML-RPC from a particular IP, replace ‘xxx.xxx.xxx.xxx’ with your IP address, Otherwise, you can simply delete this line.
6. Save and close the file.
No Access to File Manager
If you don’t have access to File Manager, you can carry out the same process using an FTP client. Follow our WordPress Tutorial on using FTP. WordPress XML-RPC should be disabled on your website. If you used a WordPress staging site, merge the changes. If you are not using a staging site, replicate the steps on the live site. We recommend that you visit your site and check your pages to make sure everything is functioning fine.
I disabled XML-RPC on my WordPress site with this easy step-by-step guide from MalCare. Click To Tweet
Remember, if you choose to use the XML-RPC function, make sure your WordPress installation is updated. You need to be using version 4.4.1 or higher to ensure your website is not at risk of being hacked.
If you don’t need the XML-RPC feature, disabling it makes your site more secure against hackers. But this doesn’t ensure all-round protection of your WordPress site. Even if you disable XML-RPC in WordPress, there are many other ways of hacking your website.
To protect your website from all kinds of hack attacks, we recommend using a security plugin like MalCare. It will monitor your website regularly and proactively blocking access of malicious traffic. In case of a hack, you can quickly clean up your site and minimize any damage.